1.1. Nicoventures Retail (UK) Limited, company number 10235033, (referred to as “we”, “us”, “our” or “BAT””) uses closed circuit television (“CCTV”) for VIP and Vype stores situated in the UK (the “Stores”). The CCTV system assists with identifying and preventing criminal activity and for the purpose of securing the safety and well-being of occupiers, staff and visitors, and to protect property.

1.2. Depending on the store you visit, the CCTV system is owned by either Hunter Communication Services Limited (“Hunter”) or Proactive Security Services Limited (“Proactive”). Both systems areoperated by BAT.

1.3. This document sets out the purpose, accepted use and management of the CCTV equipment and images to ensure that we comply with relevant data protection and privacy laws including: the General Data Protection Regulation 2016 and the Data Protection Act 2018 (together referred to as the “Data Protection Laws”), and related laws including but not limited to, the Human Rights Act 1998 (“CCTV Laws”).

1.4. This policy has been produced in line with the Information Commissioner’s Office (“ICO”) CCTV Code of Practice. This policy is non-contractual and does not form part of the terms and conditions of any employment or other contract. We may amend this policy at any time.

1.5. The CCTV system provides still/video pictures, which are transmitted from cameras positioned in the stores. All of the CCTV cameras are fixed on a particular scene. The images will be transmitted to a digital video recorder which is housed in a locked office at on-site at each of the stores. Access will be restricted via a locked door. The images will be stored on the hard drive of the digital video recorder (“DVR”). The DVR will be located within a locked cabinet or locked underneath the front desk. The images can be viewed by:

       1.5.1. CCTV operators in the Security Team based in the Southampton (“Southampton Control Room”); and

       1.5.2. Logging into the central server via a remote location through the use of a secure password by Area and Security Managers (“Senior Managers”).

1.6. This policy document will be subject to review annually to include consultation as appropriate with interested parties.

1.7. CCTV digital images (if they show an identifiable person) constitute personal data, and are covered by Data Protection Laws, as well as all other CCTV Laws. This document provides individuals with information about their rights in respect of personal data which is processed as part of our use of CCTV.

1.8. Nicoventures is registered with the ICO with registration number ZA247632.



2.1. Our board of directors have overall responsibility for ensuring compliance in accordance with relevant data protection laws and the effective operation of this policy. Day-to-day management responsibility for deciding what information is recorded, how it will be used and to whom it may be disclosed has been delegated to the Retail Technical Manager and Southampton Control Room. Day-to-day operational responsibility for CCTV cameras and the storage of data recorded is the responsibility of Retail /Southampton

2.2. The ICO has regulatory oversight of the application of this policy within our organisation and is ultimately responsible for ensuring compliance with it and the CCTV Laws.


3.1. We have considered and determined that the purposes for which the CCTV is deployed are legitimate as well as being reasonable, appropriate and proportionate. We have installed CCTV systems:

       3.1.1. to prevent crime and protect buildings and assets from damage, disruption, vandalism and other crime;

       3.1.2. for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime;

       3.1.3. to support law enforcement bodies in the prevention, detection and prosecution of crime;

       3.1.4. to assist in day-to-day management, including ensuring the health and safety of staff and others;

       3.1.5. to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings; and

       3.1.6. to assist in the defence of any civil litigation, including employment tribunal proceedings. 

3.2. Where our use of CCTV involves the processing of personal data for the above purposes, we will rely on the following lawful bases:

       3.2.1. processing is necessary for compliance with a legal obligation (for example, where processing relates to health & safety obligations or where we are obligated to provide
        information to law enforcement); and

       3.2.2. processing is necessary for the purposes of the legitimate interests of us or a third party, but only where these interests are not overridden by the rights and freedoms of the
       datasubject (for example, processing relating to security purposes and our general use of CCTV).

3.3. We may also process personal data relating to our use of CCTV where it is necessary for the establishment, exercise or defence of legal claims.

3.4. We will not carry out automated decision making or profiling in respect of our use of CCTV.



4.1. The CCTV operating system will be administered and managed by BAT in accordance with the principles and objectives set out in this policy. The day-to-day management will be the responsibility of the Retail Technical Manager and the Southampton Control Room. The CCTV system will be operated and monitored 24 hours a day, 365 days of the year.

4.2. Warning signs are placed in all areas covered by the CCTV cameras.

4.3. On a daily basis the Southampton Control Room will check and confirm the efficiency of the system, ensuring that the cameras are functional and the equipment is properly recording. If emergency maintenance is required, the Southampton Control Room will contact the Retail Technical Manager in order for a call out to be authorised.  

4.4. The on-site office which houses the CCTV at each of the stores will be restricted via a locked cabinet or locked in a cupboard under the front desk. The system will only be staffed by personnel who are trained in the system’s use and familiar with this policy. There will always be at least one Security or Area Manager available to actively monitor the system, otherwise the room housing the CCTV will be locked.

4.5. Unless an immediate response to events is required, operators will not re-direct cameras at an individual, their property or a specific group of individuals, without an authorisation being obtained from a Security Manager.

4.6. We will adhere to our emergency procedures when necessary in an emergency situation (for example, allowing access to CCTV to personnel of the emergency services).

4.7. The CCTV system is designed to ensure maximum effectiveness and efficiency but it is not possible to guarantee that the system will cover or detect every single incident taking place in the areas of coverage.


5.1. We, and/or authorised staff, would only undertake covert recording in exceptional circumstances and in accordance with Data Protection Laws and ICO Guidelines. Covert recording would only be employed if requested by the appropriate authorities such as the police.

5.2. Covert surveillance will be carried out in an appropriate and compliant manner to ensure that the subjects of the surveillance are unaware that it is, or may be, taking place. Any such covert monitoring must only be carried out for a limited and reasonable amount of time consistent with the objectives of monitoring, and only for the prevention of a specific suspected unauthorised activity (e.g. anti-fraud, theft, etc.). All such occasions must be fully documented showing who made the decision to use covert monitoring and why. 

5.3. All our maintained cameras must otherwise be readily visible to any person in the vicinity with suitable signage displayed. As their usage is to monitor the general activities happening in the vicinity, such monitoring is not covert and authorisation is not required. If the CCTV cameras target a particular individual, and are being used to monitor that individual’s activities, that becomes a specific operation and will require authorisation.



6.1. CCTV images will only be accessed if an event occurs that we cannot be expected to ignore, such as criminal activity, fraud, gross misconduct, or behaviour that puts others at risk. Where possible, viewing of recorded images will always take place in a restricted or secure area.

6.2. Images can be monitored on-site by a store manager or from a remote location through the use of a secure password.

Access to and Disclosure of Images to Third Parties

6.3. Access to and disclosure of images recorded on CCTV will be restricted and carefully controlled. This will ensure that the rights of individuals are protected, and also ensure that the images can be used as evidence if required. Images may only be disclosed in accordance with the purposes for which they were originally collected.

6.4. Disclosures to third parties will only be made in accordance with the purposes for which the system is used and will be limited to:

       6.4.1. police and other law enforcement agencies, where the images recorded could assist in a specific criminal enquiry and / or the prevention of terrorism and disorder;

       6.4.2. other British American Tobacco (“BAT”) entities to assist with investigations or disciplinary processes;

       6.4.3. prosecution agencies (such as the Crown Prosecution Service);

       6.4.4. relevant legal representatives of people whose images have been recorded and retained (unless disclosure to the individual would prejudice criminal enquiries or
       criminal proceedings);

       6.4.5. individuals who have been caught on our CCTV in accordance with a request made such as one described at section 8 below;

       6.4.6. in exceptional cases, for others (such as insurers) to assist in identification of a victim, witness or perpetrator in relation to a criminal incident; and

       6.4.7. staff involved with our disciplinary processes.

6.5. Recorded images will never be released to the media for purposes of entertainment.



7.1. Images and recording logs will be retained and disposed of in accordance with this policy.  

7.2. For digital recording systems, CCTV images held on the hard drive of a PC or server will be overwritten on a recycling basis once the drive is full, and in any event, will not be held for more than 30 days, without prior authorisation by an Area Security Manager for reasons which are recorded and notified to an Area Security Manager.

7.3. In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security.

7.4. All digital recordings will be password protected to maintain security. Recording media no longer in use will be securely destroyed.

7.5. CCTV footage will only be stored on data disks if it is requested by external agencies in the process of detecting crime and in the prosecution of offenders.

7.6. We will not transfer CCTV images/footage outside of the EEA.



8.1. Data Protection Laws give individuals the right to access personal data about themselves, including CCTV images and footage. Individuals may exercise this right through what is known as a data subject access request (or DSAR for short).

8.2. Requests for access to CCTV images/footage must include:

       8.2.1. the full name and address of the person making the request; 

       8.2.2. a personal description of the data subject and/or details of what they were wearing to ensure we can locate the individual, and only relevant images are disclosed;

       8.2.3. the approximate date and time when the images were recorded to allow for searching; and

       8.2.4. the location where the images were recorded.

8.3. We cannot charge for a data subject access request unless it meets one of the exceptions set out under the Data Protection Laws.

8.4. All requests for access to images by individuals (when they are asking for access to images of themselves) should be addressed by post with the subject heading ‘CCTV Subject Access Request’ to the Retail Technical Manager, Minerva House, 63-77 Hornby Street, Bury, Manchester, BL9 5BW; or alternatively by email at [email protected]

8.5. If we cannot comply with the request, the data subject will be advised of this in writing.

8.6. Under certain circumstances, individuals also have the right to:
       8.6.1. have their personal data corrected where it is inaccurate;

       8.6.2. have their personal data erased where it is no longer required (provided that we do not have any continuing lawful reason to continue processing their personal data);

       8.6.3. have their personal data transferred to another individual/organisation in an appropriate format;

       8.6.4. withdraw their consent to processing (where consent is our lawful basis); and

       8.6.5. restrict the processing of their personal data.

8.7. Individuals should also be aware that they have the right to object to the processing of their personal data.

8.8. Individuals who wish to exercise any of their data subject rights (or have any queries) should contact the Retail Technical Manager by post with the subject heading ‘CCTV Subject Access Request’ to Minerva House, 63-77 Hornby Street, Bury, Manchester, BL9 5BW; or alternatively by email at [email protected].



9.1. Any complaints about the CCTV system at the Stores should be addressed to the Retail Technical Manager by post with the subject heading ‘CCTV Subject Access Request’ to Minerva House, 63-77 Hornby Street, Bury, Manchester, BL9 5BW; or alternatively by email at [email protected].

9.2. If a complainant or enquirer is not satisfied with the response received, they have the right to lodge a complaint with the ICO (details of how to do so can be found on the ICO’s website: